Contents
NetBackup Firewall Ports ... 1
1. NetBackup 52xx appliance ... 2
2. NetBackup 7 ... 2
Default ports ... 2
Master server ports ... 3
Media server ports ... 4
EMM server ports ... 5
Client ports ... 5
Novell NetWare ports ... 6
Administration Console ports ... 6
Java Server ports ... 7
Java Console ports ... 7
3. NetBackup 6.x and 7.x... 7
General Considerations ... 8
4. NetBackup Enterprise Server 7.0.1 and 7.1 ... 8
5. Deployment Solution 6.x ... 9
6. NetBackup 5200/5220 appliance (for firewall between master and media server) ... 12
7. NetBackup PureDisk Release 6.6.3 ... 12
Communication ports between client agents and a storage pool ... 13
1. NetBackup 52xx appliance
http://www.symantec.com/docs/TECH178497
Which ports need to be opened on a firewall to allow access to the appliances management
console and use the KVM module to access the system console.
The Remote Console window is a Java Applet that establishes TCP connections to the Intel®
RMM3 module. The protocol that is used to run these connections is a unique KVM protocol and
not HTTP or HTTPS
Service Port Description
TCP/IP 80 Standard
TCP/IP 443 Standard
KVM redirection 7578 Remote management/IPMI Virtual CD-ROM redirection 5120 Remote management/IPMI
Virtual Floppy redirection 5123 Remote management/IPMI
2. NetBackup 7
http://www.symantec.com/connect/articles/symantec-netbackup-7-and-firewalls
Primarily, all communication use TCP at protocol, the exception being Granular Restore Technology (GRT) restores, where the UDP protocol is used for the NFS traffic. This is not covered in this article.
So we will start with the default ports as most environments do not change the ports, then followed by each tier.
Default ports
VNETD 13724 NetBackup Network daemon.
VERITAS_PBX 1556 VxPBX Symantec Private Branch Exchange Service VRTS-AT-PORT 2821 VxAT Symantec authentication service
VRTS-AUTH-PORT 4032 VxAZ Symantec Authorization Service BPCD 13782 NetBackup Connection Daemon PDDE_CTRL 10102 PureDisk Controller
PDDE_CR 10082 PureDisk Content Router BPRD 13720 NetBackup Request Daemon
These eight ports are the primary ports used in almost all NetBackup environments using at least version 6.0. Support for 5.x clients and servers is very limited in NetBackup 7, as the main application communication protocols has changed as of version 6.0.
Master server ports
The master server needs to be able to communicate will all tiers, such as the media servers, EMM server, VxSS server, clients, as well as servers where the Java or Administration console is running. Following minimum ports are required;
Source Destination Service Port
Master Media VNETD 13724
Master Media VERITAS_PBX 1556
Master EMM VERITAS_PBX 1556
Master Client VNETD 13724
Master Netware VNETD 13724
Master Netware BPCD 13782
Master VxSS server VRTS-AT-PORT 2821 Master VxSS server VRTS-AUTH-PORT 4032
Media server ports
The media servers must be able to communicate with the master server and EMM server and obviously the clients. In secure environments the VxSS server is also required. In backup and restore operations it is primarily the media server that communicates with the clients.
Source Destination Service Port
Media Master VNETD 13724
Media Media VNETD 13724
Media Master VERITAS_PBX 1556
Media EMM VERITAS_PBX 1556
Media Client VNETD 13724
Media Netware VNETD 13724
Media Netware BPCD 13782
Media VxSS server VRTS-AT-PORT 2821 Media VxSS server VRTS-AUTH-PORT 4032
Media Media PDDE_CR 10082
Media Client PDDE_CTRL 10102
Media Client PDDE_CR 10082
EMM server ports
The Enterprise Media Manager server (EMM) is the central database for media information as well as many new features in 6.x and 7.0. The EMM server is in almost all cases installed on the master server, but for huge environments or in shared media
environments, the EMM server may be a separate server.
Source Destination Service Port
EMM Master VERITAS_PBX 1556
EMM Media VERITAS_PBX 1556
EMM Admin Console VERITAS_PBX 1556
EMM Java Server VERITAS_PBX 1556
Client ports
The client requires access to the master server for scanning of backups as well as initiating user or archive operations. The client must also be able to connect to the media servers when connect-back backup types such as Oracle and SQL backup is used. When using client side de-duplication, the client must also be able to communicate with the PDDE media servers or all servers in a PureDisk Storage Pool, including the Storage Pool Authority (SPA), and Content Routers (CR). In secure environments, the clients must also be able to authenticate against the VxSS server.
Source Destination Service Port
Client Master VNETD 13724
Client Media VNETD 13724
Client Media PDDE_CR 10082 Client VxSS server VRTS-AT-PORT 2821
Novell NetWare ports
If there are any NetWare servers being backed up, following ports must be open;
Source Destination Service Port
Netware Master BPRD 13720
Netware Master VNETD 13724
Netware Media VNETD 13724
Administration Console ports
If you are using the Windows Administration console which is native Windows application, you first have to add the DNS name of the workstation or server to the list of "trusted" servers in the master server. The following ports must be open.
Source Destination Service Port
Admin Console Master VNETD 13724
Admin Console Master VERITAS_PBX 1556
Admin Console Media VNETD 13724
Java Server ports
The Java server is the process running on the master server when you connect using the Java Administration Console. It needs to be able to communicate with all the core components.
Source Destination Service Port
Java Server Master VNETD 13724
Java Server Master VERITAS_PBX 1556
Java Server Media VNETD 13724
Java Server EMM VERITAS_PBX 1556
Java Server VxSS server VRTS-AT-PORT 2821
Java Console ports
Many use the Java Console instead of the Windows native Administration Console, and as it uses the Java Server for further communication, it only requires below ports;
Source Destination Service Port
Java Console Master VNETD 13724
Java Console Master VERITAS_PBX 1556 Java Console Java Server VNETD 13724
3. NetBackup 6.x and 7.x
Tech136090
Solution
legacy security considerations are as follows:
• Master server to media server requires the TCP ports for vnetd 13724 and PBX 1556, bidirectional.
• Master server to client requires the TCP port for vnetd 13724.
• Client to master server requires the TCP port for vnetd 13724 for client-initiated, not server-initiated,
operations. Accordingly, it is generally best to open vnetd bidirectional in case client-initiated operations are needed at a future date.
• Media server to client requires the TCP port for vnetd 13724.
• Media server to media server requires the TCP port for vnetd 13724, bidirectional.
• SAN client and master/media servers require the TCP ports for vnetd 13724 and PBX 1556,
bi-directional.
• Java/Windows admin consoles to master and media servers requires the TCP ports for vnetd 13724
and PBX 1556 bidirectional.
• If using VxSS and NetBackup Access Control (NBAC):
Master require the TCP ports to/for vrts-at 2821 and vrts-az 4032. Media servers require the TCP ports to/for vrts-at 2821 and vrts-az 4032. Clients require the TCP port to/for vrts-at 2821.
Java/Windows admin consoles require the TCP port to/for vrts-at 2821. • If using the OpenStorage plug-in by DataDomain:
Requires access to UDP port 111 and TCP port 2049 on the target DataDomain array. Optimized duplication hosts requires the TCP ports for 10082 and 10102 to be open.
NetBackup 7.0.1 Considerations
The vnetd process is still listening on TCP port 13724. But most connections that previously used the vnetd port will now prefer to use the PBX port 1556. If the PBX port is unreachable, then the vnetd port will be used. Note that the Java console to master server uses the vnetd port for connection to bpjobd and the PBX port for all other connections. For efficiency, internal sockets on the loopback interface to processes on the same host use the daemon ports instead of passing through vnetd or PBX.
General Considerations
Use of Network Address Translation (NAT) is not directly supported. Dynamic NAT and Port Address Translation (PAT) introduce data security risks and other failures due to the inability to uniquely and consistently identify a remote host by IP address. If static one to one NAT is used- with consistent IP to host name mapping - in an unsupported firewall environment, it is suggested that host files be used to ensure that the forward and reverse lookups are unaffected by DNS maintenance or consolidation. The NetBackup clients and servers must be to resolve the translated NAT-ed outside global IP address to the correct hostname. Most DMZ DNS servers require the reverse lookup table to be manually populated so using a host file requires little additional administration.
4. NetBackup Enterprise Server 7.0.1 and 7.1
The following table shows the ports that are used for NetBackup deduplication. If firewalls exist
between the various deduplication hosts, open the indicated ports on the deduplication hosts.
Deduplication hosts are the deduplication storage server, the load balancing servers, and the
clients that deduplicate their own data.
If you have only a storage server and no load balancing servers or clients that deduplicate their
own data, you do not have to open firewall ports.
Port
Usage
10082
The NetBackup Deduplication Engine (spoold). Open this port between the hosts that
deduplicate data.
10085
The deduplication database (postgres). The connection is internal to the storage server,
from spad to spoold. You do not have to open this port.
10102
The NetBackup Deduplication Manager (spad). Open this port between the hosts that
deduplicate data.
5. Deployment Solution 6.x
HOWTO46882 - Internal
About communication ports and firewall considerations for OpsCenter
The SMTP recipient ports can be configured from the Symantec OpsCenter console (using Settings > Configuration > SMTP Server). The SNMP trap recipient ports can also be configured from the Symantec OpsCenter console (using Settings > Recipients > SNMP). If these ports are changed, then the appropriate hardware ports have to be opened.
Table: Communication ports used by key Symantec OpsCenter components
Source
Host Destination Host Port Number Usage (Process Name) Port Configuration
Symantec OpsCenter
Server Mail Server 25 SMTP
Allow from source to destination.
Source
Host Destination Host Port Number Usage (Process Name) Port Configuration
OpsCenter
Server recipient destination.
Symantec OpsCenter Server
NetBackup Master
Server(s) 1556 PBX (pbx_exchange)
Allow between source and destination (bi-directional). PBX port number configuration is supported. Symantec OpsCenter Client Symantec
OpsCenter Server 1556 PBX (pbx_exchange)
Allow between source and destination. Some hardened servers and firewall configurations may block this port. PBX port number configuration is not supported.
Web
Browser Symantec OpsCenter Server
The following HTTP and HTTPS ports are checked for
availability in the specified sequence and the first available port combination is used by default: 1. 80 (HTTP) and 443 (HTTPS) 2. 8181 (HTTP) and 8443 (HTTPS) 3. 8282 (HTTP) and 8553 (HTTPS)
HTTP and HTTPS Allow from all hosts on network.
Symantec OpsCenter Server
Symantec
OpsCenter Server 13786 Sybase database (dbsrv11)
Allow between source and destination. Some hardened servers and firewall configurations may block this port. Symantec OpsCenter Server Host where Symantec Product Authentication Service (AT) Server is installed
2821 NetBackup Product Authentication
Service (vxatd)
6. NetBackup 5200/5220 appliance (for firewall between
master and media server)
http://www.min.veritas.com/docs/manuals/netbackup/release5200/Appliance%20Getting%20Started% 20Guide_202.pdf
Make sure that the following ports are open on any firewall that exists between a master server and a media server.
Port Service/Description
13724 vnetd
13720 bprd
1556 PBX
7578 Specific for 5220 when using TCP
80 Specific for 5200 when using TCP
5900 Specific for 5200 when using TCP
